Friday, 23 October 2020

Integrating GRC

Republished from June 2014.

I've been thinking about a strategy for integrating Governance - Risk - Compliance activities.  In any organization it is natural to organize around functional or regional lines.  Specialization leads to silos. Silos don't integrate well.  Our goal is figuring out how to design an organization and its business processes that maximize agility, capability, and ultimately effectiveness - that means break and/or integrate the silos .


There is overlap between governance (management and structure), risk management, and compliance activities.  Focus on one aspect without consideration of the others may not meet corporate goals like performance excellence.   To achieve performance excellence integration is our primary objective and just-enough specialization is our secondary objective. This appears to be a multidimensional problem where integration objectives, core capability (business strength and differentiation), and cross functional capability (enabling services) need to be identified.




A multidimensional solution based on capability is what many organizations need guidance on.  One of the pillars of continuous process improvement is process management and modelling.  However many organizations lack the maturity and experience in doing process modelling.  Project teams extend beyond critical processes and try to document everything.  Then there is no end goal of building this "organizational insight" into their corporate DNA.  The results are static process models that take a lot of people a lot of time with little realizable value.  However, how can you adequately determine risk without that detailed process insight as to how your business really operates?

Organizational designers should focus on a top-down problem decomposition into core and cross functional groups.  Call them practices, categories, portfolios, etc.  It doesn't matter what they are called, as long as there is a logical grouping that makes sense for the organization.  Focus on only the critical process groups; those that drive value creation, sustainment, and protection.

The following example is something I'd  propose for an energy company.  (It looks similar to the COSO cube or some of the Enterprise Architecture frameworks I've seen.)



Once this model is built, owners can be assigned in each group to move the ball towards the goal, apply PDCA, and enable integrated process and reporting.




No comments:

Post a comment